EvilZone
Hacking and Security => Hacking and Security => : sensor July 15, 2011, 02:15:10 PM
-
Does anyone here know what type of encryption Wordpress uses ?
It used to be plain MD5.
Here is one sample password: $P$BsaP.8zr.ZeT2ktfTfJkgOAhNm3RJB/
All of them starts with: $P$B
Does it use some sort of salt ? Is it possible to crack it, etc.
Can you give me a hint ?
Thanks in advance,
Alex
-
Does anyone here know what type of encryption Wordpress uses ?
It used to be plain MD5.
Here is one sample password: $P$BsaP.8zr.ZeT2ktfTfJkgOAhNm3RJB/
All of them starts with: $P$B
Does it use some sort of salt ? Is it possible to crack it, etc.
Can you give me a hint ?
Thanks in advance,
Alex
Possibly of interest: http://www.stottmeister.com/blog/2009/06/30/new-wordpress-password-hasher-tool/ (http://www.stottmeister.com/blog/2009/06/30/new-wordpress-password-hasher-tool/)
Its from 2009, it says wordpress use PHPASS, a function from some framework.
Anyway, download Passwords Pro, it got a unbuilt wordpress password cracker ;)
-
Thanks a lot!
I already started up Passwords Pro, but noticed big performance drop, cracking MD5(Wordpress), rather md5() from PasswordsPro.
The best was 600 p/s, on 2 cores probably 1000 p/s.
Found Extreme GPU Bruteforcer again from InsidePro using CUDA GPU.
The results from CUDA performance from their site:
MD5 - 420 million p/s
MD5(Wordpress) - 0.05 p/s
Which is 8400x slower.
Thanks again, I'll further investigate & if I have valuable info i'll keep you posted ;)
-
The reason for the slow cracking of these passwords is so called: key stretching incorporated in PHPASS.
Here is more info on key strengthening:
http://en.wikipedia.org/wiki/Key_strengthening (http://en.wikipedia.org/wiki/Key_strengthening),
http://www.schneier.com/paper-low-entropy.html (http://www.schneier.com/paper-low-entropy.html)
Basically the time to generate the hash is increased by hashing the password multiple times - making Bruteforce ineffective method or slowing it down enough.